The due to the nature of a boshworkspace it will contain sensitive data (like keys, certificates and passwords). To prevent data leaks it is recommended to encrypt this data before pushing it, to for example github.

In this blogpost we will go over how to setup your boshworkspace repository to store encrypted versions of your deployment manifests, keys and optionally microbosh deployment files. The tools we will be using are: git-crypt and keybase.io (optional).

The above will first download the public gpg key for user rkoster (you should use your own public gpg key). And then uses this public key to create a encrypted version of the symmetric key and stores it in .git-crypt/keys/default/0/*.gpg.

This encrypted key can be decrypted by running git-crypt unlock.

Deploy

So now that we have a boshworkspace repo configured for encryption lets explore the deployment side of things. For this demo we will create a foo.yml deployment which we will decrypt on the inception/bastion server.

First lets create the foo deployment (for demonstration purposes we will use an invalid manifest):

So all that is left is unlocking the cloned repo with the exported key:

git-crypt unlock /tmp/key

Now the deployment file is decrypted:

> cat deployments/foo.yml
---
name: foo

This concludes the demonstration of how to use git-crypt in combination with bosh-workspace. We also used keybase.io for retreiving a users public gpg key. Keybase was chosen because the ease of use. There are however plenty of other solutions for distributing public gpg user keys.